Iranian Hackers Targeted Treasury Officials, Atomic Scientists And...An Intern?

Move over China, Russia and North Korea - Iran is now vying for the title of America's most threatening cyber nemesis. According to a report in the Associated Press, an Iranian hacking group known by the codename "Charming Kitten" has been caught by a private security firm trying to break into the email accounts of US nuclear scientists and policy makers, presumably to try and figure out what the US knows about Iran's clandestine enrichment program, and what, exactly, is happening in the minds of America's most senior policy setters.

Iran

After Trump reimposed sanctions against Iran last month (while offering a crucial backdoor in the form of oil -export waivers), the Iranian government rushed to try and infiltrate the accounts of people tasked with enforcing them.

AP's report included a summary of information provided by Certfa, which tracked how the hackers, who have ties to the Iranian regime, have tried to infiltrate the email accounts of US citizens over the past month using a surprisingly crude methodolgy: The so-called "phishing" attacks that rely on counterfeit emails to trick people in giving up their login information. The news follows a report earlier this week that the Marriott hack was orchestrated by Chinese intelligence agents.

Google

Those targeted by the Iranians include: Treasury officials, high-profile "defenders, detractors and enforcers" of the Iranian nuclear deal, Arab atomic scientists, Iranian civil society figures and even an intern at a DC think tank.

"Presumably, some of this is about figuring out what is going on with sanctions," said Frederick Kagan, a scholar at the American Enterprise Institute who has written about Iranian cyberespionage and was among those targeted.

Kagan said he was alarmed by the targeting of foreign nuclear experts.

"This is a little more worrisome than I would have expected," he said.

In an entertaining twist, Certfa was able to capture evidence of the Iranian hackers' efforts after the group accidentally left its server open to the Internet last month. The server was promptly ransacked by the security firm, which extracted a list of 77 email addresses that had been targeted by the hackers.

The hit list surfaced after Charming Kitten mistakenly left one of its servers open to the internet last month. Researchers at Certfa found the server and extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to the AP for further analysis. Although those addresses likely represent only a fraction of the hackers’ overall effort - and it’s not clear how many of the accounts were successfully compromised - they still provide considerable insight into Tehran’s espionage priorities.

"The targets are very specific," Certfa researcher Nariman Gharib said.

In a report published Thursday , Cerfta tied the hackers to the Iranian government, a judgment drawn in part on operational blunders, including a couple of cases where the hackers appeared to have accidentally revealed that they were operating from computers inside Iran. The assessment was backed by others who have tracked Charming Kitten. Allison Wikoff, a researcher with Atlanta-based Secureworks, recognized some of the digital infrastructure in Certfa’s report and said the hackers’ past operations left little doubt they were government-backed.

"It’s fairly clear-cut," she said.

Perhaps the most alarming finding is that the hackers targeted nuclear scientists from rival Arab nations, a sign that the hackers had hoped to steal technology which could help Iranians speed up its enrichment of uranium.

Iran has previously denied responsibility for hacking operations, but an AP analysis of its targets suggests that Charming Kitten is working in close alignment with the Islamic Republic’s interests. The most striking among them were the nuclear officials — a scientist working on a civilian nuclear project for the Pakistan’s Ministry of Defense, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha, and a high-ranking researcher at the Atomic Energy Commission of Syria.

The trio suggested a general interest in nuclear technology and administration. Others on the hit list — such as Guy Roberts, the U.S. Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs — pointed to an eagerness to keep track of officials charged with overseeing America’s nuclear arsenal.

"This is something I’ve been worried about," Roberts said when alerted to his presence on the list.

Aside from policy makers involved with the initial Iran deal negotiated under the Obama administration, the hackers also targeted a Honeywell employee in charge of the industrial giant's "emerging technology" unit...

Like the Russian hackers who have chased after America’s drone, space and submarine secrets, the list indicates that Iranian spies were also interested in the world of U.S. defense companies. One of those targeted is a senior director of “breakthrough technology” at the aerospace arm of Honeywell International Inc., the New Jersey-based industrial conglomerate; another is a vice president at Virginia-based Science Applications International Corp., a prominent Pentagon contractor.

Honeywell said it was aware that one of its employees had their personal account “exposed,” adding that there was no evidence that the company’s network was compromised. SAIC said it found no trace of any hacking attempt against its employee’s account.

...As well as - bizarrely enough - an intern at a DC think tank.

Another Charming Kitten target was an intern working for the Foundation for Defense of Democracies, a Washington think tank that has been one of the Iran deal’s fiercest critics. How the intern — whose email isn’t public and whose name appears nowhere on the organization’s website — crossed the hackers’ radar is not clear. The foundation issued a statement calling the revelation “yet another indicator that Iran must be viewed as a nefarious actor in all theatres in which it operates.”

And, of course, Treasury Department employees tasked with enforcing the sanctions against Iran.

An analysis of Certfa’s data shows the group targeted at least 13 U.S. Treasury employees’ personal emails, including one belonging to a director at the Financial Crimes Enforcement Network, which fights money laundering and terror financing, and one used by the Iran licensing chief at the Office of Foreign Asset Control, which is in charge of enforcing U.S. sanctions. But a few employees’ LinkedIn profiles referenced back office jobs or routine tax work.

That suggested “a fairly scattershot attempt,” said Clay Stevenson, a former Treasury official who now consults on sanctions and was himself targeted by Charming Kitten.

Cyberwarfare has been a feature of US-Iranian relations for decades (remember Stuxnet?). We now await revelations that, in addition to trying to steal nuclear secrets, the Iranians also sought to "destabilize" the US by circulating memes with pro-BML and pro-Hillary Clinton messaging.